<< Previous Next >>
DNS
Hello BugTraq
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A weakness in the DNS protocol has been reported, which could lead to
cache poisoning on recursive resolvers.
Background
==========
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 5
HPSBUX02351 SSRT080058 rev.5 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2010-10-12
A vulnerability was found which may allow a remote attacker to cause a
denial of service to Simple DNS Plus
Sending multiple DNS respond packets to the source port of the server
This vulnerability is fixed in the new version of Simple DNS Plus 5.1.101.
usage: sdns-dos.pl <dns server> <dns source port> <num of packets>
Exploit written by Exodus.
http://www.blackhat.org.il
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: pdnsd: Denial of Service and cache poisoning
Date: January 11, 2009
Bugs: #231285
ID: 200901-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).
To fix this dns leak/security hole, follow these steps:
Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.
Double reverse DNS, which checks the name found using reverse DNS matches the
IP adrdess enquired about is now common. I was wondering wether about has
applied the same technique to forward DNS queries too.
The idea here is that a client that finds www.example.com is 192.168.3.42 does
not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and
checks for a PTR record saying www.example.com. If one is not found then the
result is disinformation and should not be used. Of course if the bad guy also
controls the client's information about the reverse zone it still loses.
1. An interface must have IPv6 enabled.
2. One or more of the following IPv4 UDP-based services must be
enabled:
TACACS - port 49
Domain Name System (DNS) server - port 53
Resource Reservation Protocol (RSVP) - port 1698
Layer Two Forwarding (L2F)/Layer Two Tunnel Protocol (L2TP) -
port 1701
IP SLA Responder - port 1967
Media Gateway Control Protocol (MGCP) - port 2427
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 6
HPSBUX02351 SSRT080058 rev.6 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2010-12-15
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 4
HPSBUX02351 SSRT080058 rev.4 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2008-08-08
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
http://www.debian.org/security/ Martin Schulze
June 15th, 2010 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382
This update restores the PID file location for bind to the location
http://www.debian.org/security/ Florian Weimer
June 04, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382
Several cache-poisoning vulnerabilities have been discovered in BIND.
dnsmasq (http://www.thekelleys.org.uk/dnsmasq/doc.html) a popular DHCP
and DNS forwarder and cache server used on many DSL/Cable routers now
has a simple DNS Rebinding protection mechanism. When executed with the
--stop-dns-rebind option the DNS resolver in dnsmasq will filter out
private IP addresses (127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and 169.254.0.0/16). This should be sufficient for most
private/home users.
Feedback welcome.
> Not at all, if you have the ability to integrate DNS lookups into
> your filtering process (coupled with a DNS cache running locally on
> the firewall, this should not be particularly demanding on your
> resources). This problem has already been solved by people wanting
> to weight scores for incoming E-mail from mailservers in different
> geographic regions. One of the more popular free geographic DNS
> lookup services is described at http://countries.nerd.dk/ (and
> Jacobsen makes updated versions of his DNS zone data available for
> download in case you want to host your own copy instead of relying
> on someone else's nameservers).
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01123426
Version: 2
HPSBUX02251 SSRT071449 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-01
Last Updated: 2007-09-10
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01123426
Version: 1
HPSBUX02251 SSRT071449 rev.1 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-01
Last Updated: 2007-08-01
http://www.debian.org/security/ Florian Weimer
December 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4022
CERT advisory : VU#418861
[...]
> First thing I found out was that if one does decide to block
> entire countries, that it's going to be a bit of work from a rule
> standpoint.
Not at all, if you have the ability to integrate DNS lookups into
your filtering process (coupled with a DNS cache running locally on
the firewall, this should not be particularly demanding on your
resources). This problem has already been solved by people wanting
to weight scores for incoming E-mail from mailservers in different
geographic regions. One of the more popular free geographic DNS
ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates.
* How does it work?
It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems.
Evilgrade needs the manipulation of the victim dns traffic.
Attack vectors:
---------------------
Internal scenary: (Internal DNS access,ARP spoofing,DNS Cache Poisoning, DHCP spoofing)
For this workaround to be effective, the group policy needs to be
applied to all site-to-site (tunnel type "ipsec-l2l") and remote access
(tunnel type "ipsec-ra") tunnel groups.
Warning: In addition to filtering out IKE traffic on UDP port 4500, this
workaround may also affect other procotols like DNS and SNMP that send
traffic on UDP port 4500. For example, if a DNS resolver sends traffic
from UDP port 4500 to a DNS server, the response from the DNS server
will be destined to UDP port 4500, which then may be filtered out by the
filter used in this workaround.
Such exploitation could take place by a number of mechanisms. For example:
a) Compromising the FLEXnet Connect servers directly.
b) Filtering client system traffic through malicious proxy.
d) Utilizing DNS insecurities to cause any of the above.
e) Also, by directing clients to malicious website, ActiveX objects can be
used to trigger the exploit on the attacker's schedule, (but MiTM
mechanisms may still be needed to support this).
=============================================================================
FreeBSD-SA-09:04.bind Security Advisory
The FreeBSD Project
Topic: BIND DNSSEC incorrect checks for malformed signatures
Category: contrib
Module: bind
Announced: 2009-01-13
Credits: Google Security Team
http://www.debian.org/security/ Florian Weimer
July 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Proof of concept, version 4.0.4:
https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here
Impact:
Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a".
Versions tested:
Calcium 4.0.4 Vulnerable
Calcium 3.10 Vulnerable
Duncan Simpson wrote:
> Double reverse DNS, which checks the name found using reverse DNS matches the
> IP adrdess enquired about is now common. I was wondering wether about has
> applied the same technique to forward DNS queries too.
>
> The idea here is that a client that finds www.example.com is 192.168.3.42 does
> not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and
> checks for a PTR record saying www.example.com. If one is not found then the
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01660723
Version: 1
HPSBMP02404 SSRT090014 rev.1 - MPE/iX Running BIND/iX, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-28
Last Updated: 2009-01-28
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
rb_ary_replace() functions (CVE-2008-2726).
Furthermore, several other vulnerabilities have been reported:
* Tanaka Akira reported an issue with resolv.rb that enables
attackers to spoof DNS responses (CVE-2008-1447).
* Akira Tagoh of RedHat discovered a Denial of Service (crash) issue
in the rb_ary_fill() function in array.c (CVE-2008-2376).
* Several safe level bypass vulnerabilities were discovered and
[examples]
Set a password (NUEVOPASS):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS
Add names to the DNS (216.163.137.3 www.prueba.hkm):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.prueba.hkm&ADDR=216.163.137.3
Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0
<<Previous Next>>
|
